I want to do a webapp where you interact with other users, but I don't want that the user sign up with a login and a password (like BrowserQuest).
Then, I thought using a variable with a random number stored in the local storage. But I think that it's not secure because if someone analyse my code, and see in which variable the name is stored and then write in the URL:
javascript:localStorage["variableWhereNameIsStored"]="nameOfSomeoneElse";void(0);
he can steal his account.
Then I thought of the unique ID of each iPhone/iPod/iPad. But in javascript, we can't access it : Get iphone ID in web app. There is also the IP, but it's not reliable. And there is the cookies, but here also, the user can use injection.
What is the best way to identify users in my webapp?
One solution would be to give each person a unique session id (probably in cookie form) that only they know. This would connect them to a user id in the backend.
Another solution would be to set the user id in a cookie as a signed cookie. Again that is dependent on your backend but you can see a python solution here: http://webpython.codepoint.net/mod_python_publisher_cookies_signed.